We have released LibreSSL 2.2.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This nears the end of the OpenBSD 5.8 release cycle, featuring
expanded portable build support, code improvements, removal of obsolete
workarounds.
SSLv3 deprecation continues with its removal from openssl(1) and new linker
warnings on supported platforms, indicating if a program is still using the
SSLv3-only methods. We are working with upstream software providers to update
programs that were not ready for SSLv3 support to be removed entirely yet.
* Switched 'openssl dhparam' default from 512 to 2048 bits
* Reworked openssl(1) option handling
* More CRYPTO ByteString (CBC) packet parsing conversions
* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
* Fixed dozens of Coverity issues including dead code, memory leaks,
logic errors and more.
* Ensure that openssl(1) restores terminal echo state after reading a
password.
* Incorporated fix for OpenSSL Issue #3683
* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
for each portable release.
* Removed workarounds for TLS client padding bugs.
* No longer disable ECDHE-ECDSA on OS X
* Removed SSLv3 support from openssl(1)
* Removed IE 6 SSLv3 workarounds.
* Modified tls_write in libtls to allow partial writes, clarified with
examples in the documentation.
* Removed RSAX engine
* Tested SSLv3 removal with the OpenBSD ports tree and found several
applications that were not ready to build without SSLv3 yet. For
now, building a program that intentionally uses SSLv3 will result in
a linker warning.
* Added TLS_method, TLS_client_method and TLS_server_method as a
replacement for the SSLv23_*method calls.
* Added initial cmake build support, including support for building with
Visual Studio, currently tested with Visual Studio 2013 Community
Edition.
* --with-enginesdir is removed as a configuration parameter
* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
installed under $sysconfdir/ssl or the directory specified by
--with-openssldir. Previous versions of LibreSSL left these empty.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.